I am still unsure of what the #freenginx thing actually implies. Obviously everyone wants to side with the plucky dev against the faceless corp, but I also noticed this:
Dounin complains, if I'm reading this correctly, that #NGINX corp sent a #security advisory about an important bug rather than just wait for a regular release on the regular schedule. The bug was in an experimental part of the web server (namely HTTP3 support) so the solution presumably for end users was to disable that feature on production, which was strictly optional in the real world, it wasn't that the only way to fix it was updated code.
And... I'm not seeing what's wrong with that. Obviously I don't want disclosure of the "Suddenly everyone has to wait for an update because now all the script kiddies know" variety, but otherwise early disclosure is good, correct?
Genuine question, would be curious to know your thoughts.
